Two Ways the Surveillance Transparency Rules for Companies Are Not Transparent

In response to the public uproar over mass surveillance, and a lawsuit brought by Internet companies, the U.S. government recently established rules to allow companies to report some details on surveillance demands in intelligence investigations. However, the government carefully worded its new rules in a way that still obscures the true scope of surveillance on companies’ users.

To their credit, many companies are taking advantage of the new transparency rules to provide the public with more information about national security-related surveillance demands. Several Internet companies have since updated their regular transparency reports to reflect the new data the government permitted them to disclose. AT&T was the first telecom company to issue a national security surveillance transparency report under the new rules, and Verizon issued its own soon thereafter.

However, it has become clear that the tricky wording of the government’s rules effectively cloaks the scope of the NSA’s mass surveillance. Here are two ways the new surveillance transparency rules can actually mislead the public into thinking there is less surveillance than actually takes place.

By now it is public knowledge that, under Section 215 of the PATRIOT Act, the NSA collects and stores phone records – in bulk and on an ongoing basis – on millions of Americans who are not connected to a crime or terrorism investigation. These call records detail who calls whom, when, and for how long – which qualify as “non-content” metadata. Since the NSA is demanding this information from the telecom companies, one would expect that a telecom reporting under the new transparency rules would show that tens of millions of user accounts were affected by non-content surveillance demands.

Yet the recent transparency reports from AT&T and Verizon don’t reveal this at all. Instead, AT&T’s report says that 0-999 customer accounts were affected by surveillance demands for non-content, and Verizon says 0-999 “customer selectors” were part of the surveillance demands. There’s no indication that the NSA’s nationwide dragnet of phone records paused during the first half of 2013 (the period covered by the report), so why the discrepancy in the numbers?

A closer look at the DOJ’s new rules shows that they prevent reporting the bulk collection of records. Companies are actually not allowed to report the number of accounts affected by FISA orders, including demands for phone metadata made under Section 215 of the PATRIOT Act. Instead, companies may only report the number of “customer selectors targeted,” which is not the same thing as the number of customer accounts. “Customer selectors” are identifiers, such as specific telephone numbers, email addresses, IP addresses, etc. When one selector is targeted for surveillance, multiple accounts may be affected. For example, when a surveillance demand targets an email address (the customer selector targeted), but the demand encompasses records on every account that has communicated with that address, the companies can only report the one customer selector targeted but not all the accounts affected by the demand. If the companies receive a bulk surveillance order – such as an order for the bulk collection of telephone records – it is unclear whether companies can report even the “customer selectors targeted” since there is no specific target.

The result is that companies are still prohibited from reporting the large number of their customers that are affected by national security surveillance. Company transparency reports should reflect the limitations of the rules. The transparency reports of many companies – including Apple, AT&T, Facebook, Google, LinkedIn, Microsoft, and Yahoo – refer to “accounts impacted” or “users/accounts,” but this appears to be an error because disclosure of the number of customer accounts is still prohibited. Instead, companies should make clear that they are reporting “customer selectors targeted.” And, to the extent permitted by the government, the reports should inform readers what counts as a selector. That sounds more opaque, but that’s what the government limits the companies to reporting.

2) The Rules Lump Together Surveillance Disclosures Made Under Probable Cause With Those That Are Not

There are two main ways to obtain actual “orders” to collect communications content in the U.S. for intelligence: 1) A Foreign Intelligence Surveillance Court (FISC) order issued under Section 107 of FISA, which is individually targeted and requires a finding by the FISC of probable cause to believe that the person is a terrorist, spy, or other agent of a foreign power, or 2) A “tasking order” issued by the government under Section 702 of FISA, which requires no individualized determination whatsoever, only annual approval by the FISC of targeting guidelines reasonably designed to ensure that the target is located outside the United States and that certain “minimization procedures” are in place – a much lower standard than Section 107.

The difference between Sections 107 and 702 is significant in terms of the privacy protections provided in the law. However, the DOJ’s new transparency rules limit companies to reporting all FISA orders for communications content as one number, thus lumping together orders made under Sections 107 and 702. Still, a comparison between company reports on surveillance demands and the government’s own annual surveillance reports suggests that warrantless Section 702 orders affect far more people in the U.S. than the more targeted Section 107 orders.

The DOJ’s 2012 surveillance report showed that there were only 1,856 orders under Section 107. Each of those orders under Sec. 107 should affect only one or a few accounts because Section 107 orders are targeted as a result of the probable cause requirement. Yet the Internet companies’ transparency reports – such as that from Google, Microsoft, and Yahoo! – show tens of thousands of accounts were affected by FISA content orders. Orders made under Section 702 likely make up the difference.

As a result, we can be fairly sure that most intelligence surveillance in the U.S. to collect contents of communications is conducted without a warrant and without probable cause under Section 702 of FISA. That is useful, if chilling, information that was not before apparent. We can’t be certain of the true numbers because the DOJ’s transparency rules won’t allow it: companies must report orders under Sections 107 and 702 as one number. The unfortunate effect is to obscure the scope of intelligence surveillance targeting people in the U.S. because the numbers that reflect domestic surveillance are lumped in with the much larger numbers for surveillance targeting people abroad.

Conclusion

People in the U.S., and abroad, should know how much surveillance targets them. But they won’t get that kind of clarity under the current transparency reporting rules the government has imposed on companies. Instead, the government’s “transparency” rules can give the false impression that mass surveillance isn’t happening at all, even when it is widely acknowledged elsewhere. The NSA’s phone record dragnet is only one mass surveillance program we know about, but what other programs do the transparency rules hide?

The government’s loosening of the restrictions on transparency is a positive development overall, but additional improvements must be made for that transparency to be meaningful.